LINKOPTIMIZER - log di gmer - AIUTO!!!!

[Giuggiola]

Salve a tutti,
sono giorni che impazzisco per colpa di LinkOptimizer.
Ho provato di tutto, antivirus, anti spyware, etc....
Alla fine ho perso le speranze e ho cercato nei forum..... trovando più riferimenti di quelli che mi sarei aspettata!

Ed eccomi qui! Ho fatto quello che ho letto in altri topic!
Ho disinstallato LinkOptimizer con MyUninstaller v1.34.
Ho tolto utenti sospetti dagli user account
Ho scarica Gmer e fatto la scansione su Rootkit e Autostart ed ecco qui i log.....

AIUTATEMI PER FAVORE!!!
I miei colleghi minacciano di formattarmi il pc.......

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-12 12:21:21
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.10 ----

SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess
---- Processes - GMER 1.0.10 ----

Library C:\WINNT\fikne1.dll (*** hidden *** ) @ C:\WINNT\Explorer.EXE [1240] 0x04A10000 <-- ROOTKIT !!!
Library C:\WINNT\fikne1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [1612] 0x02840000 <-- ROOTKIT !!!

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\WINNT\fikne1.dll
File C:\WINNT\prn.zmc

---- EOF - GMER 1.0.10 ----




GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-09-12 12:21:59
Windows 5.0.2195 Service Pack 4


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
WRNotifier@DLLName = WRLogonNTF.dll /*file not found*/
wzcnotif@DLLName = wzcdlg.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = \\?\C:\WINNT\prn.zmc

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AdobeActiveFileMonitor /*Adobe Active File Monitor*/@ = C:\Programmi\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
AntiVirScheduler /*AntiVir PersonalEdition Classic Scheduler*/@ = C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
AntiVirService /*AntiVir PersonalEdition Classic Guard*/@ = C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ = C:\Programmi\ewido anti-spyware 4.0\guard.exe
NetFgn /*NetFgn*/@ = "C:\Programmi\File comuni\System\DsiZk.exe"
PhotoshopElementsDeviceConnect /*Photoshop Elements Device Connect*/@ = C:\Programmi\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
RemoteRegistry /*Servizio Registro di sistema remoto*/@ = %SystemRoot%\system32\regsvc.exe
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\system32\MSTask.exe
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
WinMgmt /*Strumentazione gestione Windows*/@ = %SystemRoot%\System32\WBEM\WinMgmt.exe
WMDM PMSP Service /*WMDM PMSP Service*/@ = C:\WINNT\system32\MsPMSPSv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@IgfxTrayC:\WINNT\system32\igfxtray.exe = C:\WINNT\system32\igfxtray.exe
@HotKeysCmdsC:\WINNT\system32\hkcmd.exe = C:\WINNT\system32\hkcmd.exe
@projselector"C:\Programmi\File comuni\Roxio Shared\Project Selector\projselector.exe" -r = "C:\Programmi\File comuni\Roxio Shared\Project Selector\projselector.exe" -r
@RoxioEngineUtility"C:\Programmi\File comuni\Roxio Shared\System\EngUtil.exe" = "C:\Programmi\File comuni\Roxio Shared\System\EngUtil.exe"
@RoxioDragToDisc"C:\Programmi\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" = "C:\Programmi\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
@RemoteControlC:\Programmi\CyberLink\PowerDVD\PDVDServ.exe = C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
@CloneCDTray"C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s = "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_06\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@avgnt"C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min = "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@!ewido"C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized = "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*Estensione CPL PlusPack*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Anteprima*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Programma di estrazione filtri grafici di Office in anteprima*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{5E44E225-A408-11CF-B581-008029601108} /*Roxio DragToDisc Shell Extension*/C:\Programmi\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll = C:\Programmi\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll
@{0AC6C6C5-F7A8-11D2-BEF4-00C04F990001} /*Allaire FTP & RDS*/C:\WINNT\system32\CFSHEL~1.DLL = C:\WINNT\system32\CFSHEL~1.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{BB7DF450-F119-11CD-8465-00AA00425D90} /*Microsoft Access Custom Icon Handler*/C:\Programmi\Microsoft Office\Office\soa800.dll = C:\Programmi\Microsoft Office\Office\soa800.dll
@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Programmi\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll = C:\Programmi\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
@{49707377-6974-6368-2E4A-756E6F644A01} /*WS_FTP Pro Explorer*/C:\Program Files\WS_FTP Pro\ftpproex.dll = C:\Program Files\WS_FTP Pro\ftpproex.dll
@{52B87208-9CCF-42C9-B88E-069281105805} /*Trojan Remover Shell Extension*/(null) =
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Programmi\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
UltraEdit-32@{b5eedee0-c06e-11cf-8c56-444553540000} = C:\Programmi\UltraEdit\ue32ctmn.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
@{68B86FF6-CA65-08C9-FF01-83750F87B3C2}C:\WINNT\fikne1.dll = C:\WINNT\fikne1.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar2.dll = c:\programmi\google\googletoolbar2.dll
@{AE7CD045-E861-484f-8273-0445EE161910}C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll = C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.ciseonweb.it/ = http://www.ciseonweb.it/
@Local PageC:\WINNT\system32\blank.htm = C:\WINNT\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINNT\system32\msvidctl.dll
its@CLSID = C:\WINNT\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINNT\system32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINNT\system32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINNT\system32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5EF558AF-5D6D-42D2-9813-8DB053A83101} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress10.0.0.20 = 10.0.0.20
@NameServer212.141.22.163 = 212.141.22.163
@DefaultGateway10.0.0.1 = 10.0.0.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Acrobat Assistant.lnk = Acrobat Assistant.lnk
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Avvio Office.lnk = Avvio Office.lnk

---- EOF - GMER 1.0.10 ----

[Luke57]

Ciao, scarica avenger sul desktop http://swandog46.geekstogo.com/avenger.zip

scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:


Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\NetFgn
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {68B86FF6-CA65-08C9-FF01-83750F87B3C2}


Files to delete:
C:\WINNT\fikne1.dll
C:\WINNT\prn.zmc
C:\Programmi\File comuni\System\DsiZk.exe

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes o Sì
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Posta il log di Avenger (C:/avenger.txt) con l´esito dello script


Verifica se in C:\Programmi\File comuni\System, ci sono altri file eseguibili sospetti e/o colorati di verde.
Rendi prima visibili file e cartelle nascosti:
da gestione del computer>strumenti>Opzioni Cartella
Seleziona Visualizza
Spunta "mostra file e cartelle nascoste"
Togli la spunta da "nascondi file protetti di sistema (consigliato)
Premi OK

[andorra24]

Scarica questo tool:

http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\NetFgn
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68B86FF6-CA65-08C9-FF01-83750F87B3C2}

Files to delete:
C:\WINNT\fikne1.dll
C:\WINNT\prn.zmc
C:\Programmi\File comuni\System\DsiZk.exe

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo, se così non fosse riavvialo manualmente.
L’esito dello script si troverà nella cartella C:/avenger.txt.

[andorra24]

Opssss scusa Luke, stavo scrivendo il post e non ho potuto vedere la tua risposta.

[Giuggiola]

Grazie a tutti e due!
Dunque adesso sono messa così:
nella root di c: c'è una cartella di Avenger con dentro il file prn.zmc (uno di quelli da eliminare).
in C:\Programmi\File comuni\System non mi sembra esserci nulla di strano, ho i file:
directdb.dll
wab32.dll
wab32res.dll
e alcune cartelle.

E' finita??? C'è altro da fare???
Grazie mille non so come ringraziarvi!!!!


Vi riporto il file avenger.txt:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\byuehgvj

*******************

Script file located at: \??\C:\Program Files\huispixi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\NetFgn deleted successfully.
File C:\WINNT\fikne1.dll deleted successfully.
File C:\WINNT\prn.zmc deleted successfully.
File C:\Programmi\File comuni\System\DsiZk.exe deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.


Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {68B86FF6-CA65-08C9-FF01-83750F87B3C2} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {68B86FF6-CA65-08C9-FF01-83750F87B3C2} failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[andorra24]

Posta un log di hijackthis per un controllo.

[Giuggiola]

Posta un log di hijackthis per un controllo.

Subito capo!!!
Ecco qua:


Logfile of HijackThis v1.99.1
Scan saved at 13.18.34, on 12/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Programmi\File comuni\Roxio Shared\Project Selector\projselector.exe
C:\Programmi\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\Microsoft Office\Office\OSA.EXE
C:\WINNT\system32\wuauclt.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\HJT\HijackThis.exe
C:\Programmi\Real\RealPlayer\RealPlay.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ciseonweb.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.1.13:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O1 - Hosts: 212.141.22.168 test.www.ciseonweb.it
O1 - Hosts: 212.141.22.168 test.www.lavoroetico.org
O1 - Hosts: 212.141.22.168 test.www.sawnet.info
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {68B86FF6-CA65-08C9-FF01-83750F87B3C2} - C:\WINNT\fikne1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [projselector] "C:\Programmi\File comuni\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Programmi\File comuni\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programmi\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio Office.lnk = C:\Programmi\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Programmi\Altova\XMLSPY2004\spy.htm
O8 - Extra context menu item: Save Flash - res://C:\Programmi\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmi\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programmi\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Programmi\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EF558AF-5D6D-42D2-9813-8DB053A83101}: NameServer = 212.141.22.163
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe

[Luke57]

Opssss scusa Luke, stavo scrivendo il post e non ho potuto vedere la tua risposta.

Ciao Anna, ma figurati se non ti scuso

[andorra24]

Metti la spunta nella casellina accanto alle seguenti voci e premi fix checked dopo aver chiuso il browser e ogni altro programma aperto:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {68B86FF6-CA65-08C9-FF01-83750F87B3C2} - C:\WINNT\fikne1.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

[Giuggiola]

Grazie mille!
Ho fatto tutto. Compreso un riavvio e un altro scan con hijackthis.
Sembra che non ci siano più problemi simili!!!

Ancora grazie!!!